On Thu, Feb 13, 2014 at 2:35 PM, √iktor Ҡlang <[email protected]>wrote:
> > > > On Thu, Feb 13, 2014 at 2:06 PM, Raymond Roestenburg < > [email protected]> wrote: > >> Hi Roland, >> >> >> On Thu, Feb 13, 2014 at 1:27 PM, Akka Team <[email protected]>wrote: >> >>> Hi Ray, >>> >>> good that you are looking into these things, and as far as I can see >>> your assessment of the current situation is correct (i.e. no client >>> certificate verification). If you plan on contributing more symmetric >>> security, you are welcome to create a ticket and run with it; we have >>> currently no work going on in that area, so collisions will be unlikely ;-) >>> >>> :-) >> >> Will do. It might take a while before you see anything appearing though. >> > > *sad face* > Now that expectations are set low, a happy face is on the horizon! ;-) > > >> >> >>> Regards, >>> >>> Roland >>> >>> >>> >>> On Tue, Feb 11, 2014 at 12:38 PM, Raymond Roestenburg < >>> [email protected]> wrote: >>> >>>> Also, I could not find any code that does hostname verification from >>>> the client side, which is described as something that should be done when >>>> using a raw SSLEngine. (I'm now obviously reading the JSSE docs :-) >>>> >>>> BTW I'm asking these questions to verify that my understanding is >>>> correct, and as a basis for contributing to fix stuff in SSL support (if >>>> something is missing) since I find it an interesting topic. >>>> >>>> >>>> On Monday, February 10, 2014 6:09:55 PM UTC+1, Raymond Roestenburg >>>> wrote: >>>>> >>>>> Hi guys, >>>>> >>>>> I'm working on a pull request for adding SSL support to ReactiveMongo. >>>>> ReactiveMongo uses Netty and I remembered that akka-remote has a nice >>>>> NettySSLSupport, so I'm obviously borrowing stuff (not without copying in >>>>> the license and reference to Typesafe and akka of course!). Sadly I can't >>>>> reuse the NettySSLSupport class since it's private to akka. I got basic >>>>> SSL >>>>> working this way, and I'm now looking into client certificates. >>>>> And that's where I'm getting a bit confused :-) >>>>> >>>>> In the docs I see: >>>>> >>>>> >>>>> 1. # This is the Java Key Store used by the client connection >>>>> 2. trust-store = "truststore" >>>>> >>>>> >>>>> The trust store is the keystore that you only keep trusted >>>>> certificates in, like cacerts (public certs that you trust) as far as I >>>>> know. >>>>> >>>>> Is client-authentication (client-side certificates) supported? the >>>>> client certificates are normally not put in a truststore but in a separate >>>>> keystore, since (If I'm correct) SSL/TLS needs both your client >>>>> certificate >>>>> and your client private key for the whole process. >>>>> It looks like the configured "key-store" value is only used on the >>>>> server side, so I would not be able to put client certificates there on >>>>> the >>>>> client side? >>>>> Does this mean that, when I have Server A and B, that I need to put >>>>> the client certificates of A on B, and of B on A, in the file that >>>>> key-store refers to in the config? This is a bit confusing for me. The >>>>> client should present it's certificate when the server requests >>>>> client-authentication. >>>>> >>>>> Also, I don't see code that uses setNeedClientAuth or >>>>> setWantClientAuth, or any way to configure it, so looks like you can't say >>>>> that the server wants or requires client certs. >>>>> Is that correct? >>>>> >>>>> Another thing that might be nice is to allow users to use SSL without >>>>> having to specify the exact location of the keystores and use the defaults >>>>> (which can work for SSL without client certificates, using the cacerts >>>>> that >>>>> comes with the JDK, and using the default SecureRandom etc.). >>>>> >>>>> I haven't looked into SSL for a while so It's very possible I'm >>>>> misunderstanding. >>>>> >>>>> Cheers, >>>>> Ray >>>>> >>>>> >>>>> -- >>>> >>>>>>>>>> Read the docs: http://akka.io/docs/ >>>> >>>>>>>>>> Check the FAQ: http://akka.io/faq/ >>>> >>>>>>>>>> Search the archives: >>>> https://groups.google.com/group/akka-user >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "Akka User List" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To post to this group, send email to [email protected]. >>>> Visit this group at http://groups.google.com/group/akka-user. >>>> For more options, visit https://groups.google.com/groups/opt_out. >>>> >>> >>> >>> >>> -- >>> Akka Team >>> Typesafe - The software stack for applications that scale >>> Blog: letitcrash.com >>> Twitter: @akkateam >>> >>> -- >>> >>>>>>>>>> Read the docs: http://akka.io/docs/ >>> >>>>>>>>>> Check the FAQ: http://akka.io/faq/ >>> >>>>>>>>>> Search the archives: >>> https://groups.google.com/group/akka-user >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "Akka User List" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To post to this group, send email to [email protected]. >>> Visit this group at http://groups.google.com/group/akka-user. >>> For more options, visit https://groups.google.com/groups/opt_out. >>> >> >> >> >> -- >> Raymond Roestenburg >> >> code: http://github.com/RayRoestenburg >> blog: http://roestenburg.agilesquad.com >> twtr: @RayRoestenburg >> book: http://manning.com/roestenburg >> >> -- >> >>>>>>>>>> Read the docs: http://akka.io/docs/ >> >>>>>>>>>> Check the FAQ: http://akka.io/faq/ >> >>>>>>>>>> Search the archives: https://groups.google.com/group/akka-user >> --- >> You received this message because you are subscribed to the Google Groups >> "Akka User List" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To post to this group, send email to [email protected]. >> Visit this group at http://groups.google.com/group/akka-user. >> For more options, visit https://groups.google.com/groups/opt_out. >> > > > > -- > Cheers, > √ > > * ——————— **Viktor Klang* > *Chief Architect - **Typesafe <http://www.typesafe.com/>* > > Twitter: @viktorklang > > -- > >>>>>>>>>> Read the docs: http://akka.io/docs/ > >>>>>>>>>> Check the FAQ: http://akka.io/faq/ > >>>>>>>>>> Search the archives: https://groups.google.com/group/akka-user > --- > You received this message because you are subscribed to the Google Groups > "Akka User List" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/akka-user. > For more options, visit https://groups.google.com/groups/opt_out. > -- Raymond Roestenburg code: http://github.com/RayRoestenburg blog: http://roestenburg.agilesquad.com twtr: @RayRoestenburg book: http://manning.com/roestenburg -- >>>>>>>>>> Read the docs: http://akka.io/docs/ >>>>>>>>>> Check the FAQ: http://akka.io/faq/ >>>>>>>>>> Search the archives: https://groups.google.com/group/akka-user --- You received this message because you are subscribed to the Google Groups "Akka User List" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/akka-user. For more options, visit https://groups.google.com/groups/opt_out.
